How to enumerate webserver directories with Nmap on Kali Linux

In this tutorial we will be using Nmap on Kali Linux to scan and enumerate webserver directories from popular web applications and servers. We will be using the Nmap script http-enum.nse for this purpose. The first step in web application penetration testing is scanning webserver directories for popular web applications so we can see which applications have been installed on the particular webserver and what directories are available. Many applications have known vulnerabilities and attack strategies that can be exploited in order to gain administrator access or to exploit data. Using this Nmap script we can quickly get an overview of those applications with version numbers so we can check vulnerability databases for known vulnerabilities and exploits. The Nmap script parses a fingerprint file and scans the targeted webserver for any matches and also returns the particular version of the web application. In the nselib/data folder there is a file called ‘http-fingerprints.lua’. This file contains all the available fingerprints with a description in the header for those who are interested in what is exactly scanned by this Nmap script. The current fingerprint database is really huge and is still updated on a regular basis. If you want to use a Nikto database with fingerprints instead of the lua file, you can also parse a Nikto-formatted database using http-fingerprints.nikto-db-path.

Let’s continue this tutorial and switch to Kali Linux for some hands on testing with Nmap.

Enumerate webserver directories

Use the following command to enumerate directories used by popular web applications:

nmap –script http-enum.nse [host]

Depening on the applications which are installed on the targeted host, Nmap returns a list of those applications. In the Hacking Tutorials video the target has a WordPress installation running which is confirmed by the Nmap script.